'One size fits all' EU data law would undermine rights, says Clarke

New European data protection law proposals risk compromising freedoms and security, UK Justice Secretary Ken Clarke has said. He said that he opposed a 'one size fits all' approach to European data protection law.

"A preoccupation with imposing a single, inflexible, codified data protection regime on the whole of the European Union, regardless of the different cultures and different legal systems, carries with it serious risks," Clarke said in a speech to the British Chamber of Commerce in Brussels.

"Let us keep the broad principles of the existing Directive and better understand the 27 laws we all in our nation states have, rather than setting out to create in detail an additional 28th radically different, and artificial new set of laws," Clarke said.

The European Commission plans to update the EU's Data Protection Directive but Clarke said that that the plans risked undermining some basic rights.

"Rather than improving privacy, safety and freedom, there is a real risk that some of these ideas might accidentally undermine them," Clarke said.

"Our experience in the United Kingdom and most of the other Member States is that security, and freedom, and privacy are all possible, and that all our citizens want to see all three," Clarke said.

Clarke said that it was a "false choice" to choose between security, freedom and privacy and said he wanted the EU to adopt a "flexible regime".

Clarke criticised EU plans that would force website operators to delete user details, creating a 'right to be forgotten'. Earlier this year Viviane Reding, Vice President of the European Commission, said she wanted users to have the right to withdraw their consent to companies using their data. Reding said companies should prove that they need to keep customers' data.

Clarke said he was unsure how the plans could work in practice and said it would create "an unachievable standard" that would disappoint the public. He said the plans could censor publically available information and that it would adversely affect businesses and public sector organisations.

"A whole range of vital services that consumers rely upon critically depend, in turn, on the availability of data," Clarke said.

"Without reasonably portable health records for example, it’s hard to see how medical services can operate sensibly. Without appropriately regulated data on credit histories, then loans and mortgages might in future be very limitedly available – and might even only be available to the very wealthy," Clarke said.

Plans to tighten the access to data for law enforcement agencies could affect the way Governments tackle terrorism and serious crime, he warned.

"If we are to be successful in protecting the safety of our peoples against very sophisticated enemies, then we need to be nimble in using information properly and technology to detect, disrupt and prosecute those who would do us harm," Clarke said in his speech.

"Harm can arise to the citizen where information is not being properly shared, by people he is entitled to assume are sharing it, as well as when it is shared carelessly, so our regime has both to protect the use of data, but also to enable the use of data for a proper purpose," Clarke said.

Clarke said that the European Commission's plans to revise the Data Retention Directive should be viewed "with caution". In April the Commission said it would consider strengthening regulations of the storage, access to and use of retained data to improve the protection of personal data.

Plans for a new EU Passenger Name Record (PNR) Directive should be broadened so that passenger details are recorded for all flights within the EU, Clarke said. The European Commission's plans for a new PNR Directive currently propose recording passenger's details for all flights to and from the EU.

"It makes no sense to collect PNR information on flights to and from third countries without also collecting the same information on flights between EU Member States," Clarke said.

Clarke described the UK's existing PNR arrangement with the US as "absolutely critical to improving US and EU security" and said that countries should share data collected on passengers.

"It was the use of Passenger Name Record data that enabled the identification of the terrorist facilitator at the heart of the Mumbai attacks," Clarke said.

"We will be positively negligent if we fail to take advantage of the improved security that we can give to passengers by properly pooling protected data that we both have," Clarke said.

Clarke said it was wrong to impose EU data protection laws on companies based elsewhere in the world that may handle EU citizens' personal information. "It’s wrong to view the extension of the application of European Union law on a global scale as some simple and unquestioned process," Clarke said.

"If we expect the EU regime to protect the data of EU citizens regardless of location, then it wouldn’t be unreasonable to expect Australians, Japanese and citizens from other countries working in the European Union to import their own legislative rights with them," Clarke said.

Clarke said new data protection laws should make it easier for companies to transfer customer data.

"We should consider moving from a system which restricts information based on national standards of data protection, to a system based on the standard of data protection of the particular company involved – far more relevant to modern methods of business," Clarke said.

The European Commission is expected to propose changes to the Data Protection Directive later this year.